Alpine Linux - User contributions [en]

Full disk encryption secure boot

2023-07-19T16:30:12Z

Blt: /* Grub settings */

'''Disclaimer : this is not to be followed, only for testing purposes. This will be updated when GRUB 2.12 rc1 will be available for LUKSv2, GRUB and FDE to work'''

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot. This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey resume"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=lvmcrypt cryptkey quiet rootfstype=ext4"
</pre>
XXXX could be found with blkid command

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
# grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

== Hibernate on encrypted LVM swap partition ==

Find your vg0-swap UUID :
<pre>lsblk -f</pre>

Add resume parameter to your /etc/default/grub :
<pre>GRUB_CMDLINE_LINUX_DEFAULT=....resume=UUID=<UUID of your vg0-swap partition>
</pre>

Add a line to your /etc/fstab :
<pre>/dev/vg0/swap none swap sw 0 0</pre>

Enable swap service during boot :
<pre>rc-update add swap default</pre>

Install zzz and test it
<pre># apk add zzz
zzz- Z</pre>

Done and congrats !

Full disk encryption secure boot

2023-07-18T16:06:18Z

Blt: add disclaimer

'''Disclaimer : this is not to be followed, only for testing purposes. This will be updated when GRUB 2.12 rc1 will be available for LUKSv2, GRUB and FDE to work'''

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot. This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey resume"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=lvmcrypt cryptkey quiet rootfstype=ext4"
</pre>
XXXX could be found with blkid command

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
# grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

== Hibernate on encrypted LVM swap partition ==

Find your vg0-swap UUID :
<pre>lsblk -f</pre>

Add resume parameter to your /etc/default/grub :
<pre>GRUB_CMDLINE_LINUX_DEFAULT=....resume=UUID=<UUID of your vg0-swap partition>
</pre>

Add a line to your /etc/fstab :
<pre>/dev/vg0/swap none swap sw 0 0</pre>

Enable swap service during boot :
<pre>rc-update add swap default</pre>

Install zzz and test it
<pre># apk add zzz
zzz- Z</pre>

Done and congrats !

Full disk encryption secure boot

2022-11-30T17:19:02Z

Blt:

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot. This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey resume"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=lvmcrypt cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
# grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

== Hibernate on encrypted LVM swap partition ==

Find your vg0-swap UUID :
<pre>lsblk -f</pre>

Add resume parameter to your /etc/default/grub :
<pre>GRUB_CMDLINE_LINUX_DEFAULT=....resume=UUID=<UUID of your vg0-swap partition>
</pre>

Add a line to your /etc/fstab :
<pre>/dev/vg0/swap none swap sw 0 0</pre>

Enable swap service during boot :
<pre>rc-update add swap default</pre>

Install zzz and test it
<pre># apk add zzz
zzz- Z</pre>

Done and congrats !

Full disk encryption secure boot

2022-11-30T17:18:54Z

Blt: two small format issues

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot. This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey resume"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=lvmcrypt cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
# grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

== Hibernate on encrypted LVM swap partition ==

Find your vg0-swap UUID :
<pre>lsblk -f</pre>

Add resume parameter to your /etc/default/grub :
<pre>GRUB_CMDLINE_LINUX_DEFAULT=....resume=UUID=<UUID of your vg0-swap partition>
</pre>

Add a line to your /etc/fstab :
<pre>/dev/vg0/swap none swap sw 0 0</pre>

Enable swap service during boot :
<pre>rc-update add swap default</pre>

Install zzz and test it
<pre># apk add zzz
zzz- Z</pre>

Done and congrats !

Full disk encryption secure boot

2022-11-30T17:17:17Z

Blt: done

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot. This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey resume"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/c
rypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=lvmcrypt cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

== Hibernate on encrypted LVM swap partition ==

Find your vg0-swap UUID :
<pre>lsblk -f</pre>

Add resume parameter to your /etc/default/grub :
<pre>GRUB_CMDLINE_LINUX_DEFAULT=....resume=UUID=<UUID of your vg0-swap partition>
</pre>

Add a line to your /etc/fstab :
<pre>/dev/vg0/swap none swap sw 0 0</pre>

Enable swap service during boot :
<pre>rc-update add swap default</pre>

Install zzz and test it
<pre># apk add zzz
zzz- Z</pre>

Done and congrats !

Full disk encryption secure boot

2022-08-08T21:35:15Z

Blt: formating

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey resume"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/c
rypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=lvmcrypt cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

== Hibernate on encrypted LVM swap partition ==

Find your vg0-swap UUID :
<pre>lsblk -f</pre>

Add resume parameter to your /etc/default/grub :
<pre>GRUB_CMDLINE_LINUX_DEFAULT=....resume=UUID=<UUID of your vg0-swap partition>
</pre>

Add a line to your /etc/fstab :
<pre>/dev/vg0/swap none swap sw 0 0</pre>

Enable swap service during boot :
<pre>rc-update add swap default</pre>

Install zzz and test it
<pre># apk add zzz
zzz- Z</pre>

Full disk encryption secure boot

2022-08-08T21:34:45Z

Blt: finsh hibernate

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey resume"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/c
rypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=lvmcrypt cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

== Hibernate on encrypted LVM swap partition ==

Find your vg0-swap UUID :
<pre>lsblk -f</pre>

Add resume parameter to your /etc/default/grub :
<pre>GRUB_CMDLINE_LINUX_DEFAULT=....resume=UUID=<UUID of your vg0-swap partition>

Add a line to your /etc/fstab :
<pre>/dev/vg0/swap none swap sw 0 0</pre>

Enable swap service during boot :
<pre>rc-update add swap default</pre>

Install zzz and test it
<pre># apk add zzz
zzz- Z</pre>

Full disk encryption secure boot

2022-08-08T11:44:03Z

Blt: add resume and hibernate section

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey resume"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/c
rypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=lvmcrypt cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

== Hibernate on encrypted LVM swap partition ==

Add a line to your /etc/fstab :
<pre>/dev/vg0/swap none swap sw 0 0</pre>

Enable swap service during boot :
<pre>rc-update add swap default</pre>

Full disk encryption secure boot

2022-08-08T10:20:31Z

Blt: ordering issue

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/c
rypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=lvmcrypt cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-08T10:16:54Z

Blt: missing lvm in grub-mkimage

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/c
rypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=lvmcrypt cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.
This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-07T22:08:17Z

Blt: typo lvmcrypt

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/c
rypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=lvmcrypt cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.
This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-07T21:43:14Z

Blt: typo on XXXX UUID

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/c
rypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=root cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted lvm partition UUID (here /dev/nvme0n1p2) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.
This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-07T21:34:09Z

Blt: grub adding cryptodisk option

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/c
rypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=root cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Finally, add the cryptodisk parameter :
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here vg0-root) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># mkdir /boot/efi/EFI/AlpineLinuxSecureBoot
grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.
This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-07T19:20:44Z

Blt: tweak grub for lvm

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the modules to the features parameters (keymap only needed if your keyboard is not QWERTY):
<pre>features="ata base ide scsi usb virtio ext4 lvm nvme keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd if=/dev/random bs=512 count=4 | xxd -p -c999 | tr -d '\n' > /mnt/c
rypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Edit /etc/default/grub and add cryptkey after cryptdm=root parameter like this:
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,nvme cryptroot=UUID=XXXX cryptdm=root cryptkey quiet rootfstype=ext4"
</pre>

Add a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm ext4"
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Create a /root/grub-pre.cfg and replace <XXXX-UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here vg0-root) without hyphens, replace <YYYY> with VG UUID from vgdisplay and replace <ZZZZ> with LV UUID from lvdisplay of your /dev/vg0/root
<pre>
set crypto_uuid=<XXXX-UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root='lvmid/<YYYY>/<ZZZZ>'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.
This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-07T18:34:32Z

Blt: missing bloc end

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup and lvm modules to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
</pre>

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens
<pre>
set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.
This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-07T18:33:51Z

Blt: small tweaks and proof until 'Installing Alpine'

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre> # gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries in memory.

Command (? for help): n
Partition number (1-128, default 1):
First sector (34-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (34-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
Physical volume "/dev/mapper/lvmcrypt" successfully created.
# vgcreate vg0 /dev/mapper/lvmcrypt
Volume group "vg0" successfully created
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
Logical volume "swap" created.
# lvcreate -l 100%FREE vg0 -n root
Logical volume "root" created.
</pre>

To check the creation :
<pre># lvscan
ACTIVE '/dev/vg0/swap' [20.00 GiB] inherit
ACTIVE '/dev/vg0/root' [455.92 GiB] inherit
</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
└─nvme0n1p2 259:2 0 476.4G 0 part
└─lvmcrypt 253:0 0 476.4G 0 crypt
├─vg0-swap 253:1 0 20G 0 lvm [SWAP]
└─vg0-root 253:2 0 456.4G 0 lvm /mnt

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup and lvm modules to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
</pre>

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens
<pre>
set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.
This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-07T17:52:02Z

Blt: converting the guide for LVM until Installing Alpine

{{Draft}}

This guide is to explain, step-by-step, how to setup Alpine Linux with Full Disk Encryption using LUKS2, LVM (one Physical Volume Partition with three Logical Volume Partitions (/ /boot & swap) with hibernation on a NVMe drive, with UEFI & Secure Boot (and hopefully tpm as well : WIP). This guide has been written using Alpine Linux Std 3.16.1, please adapt some commands if needed.

The goal of this guide is to follow the KISS principle, but another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if the proposed configuration is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For LVM:
<pre># apk add lvm2</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

To improve the entropy :
<pre># apk add haveged
# rc-service haveged start
</pre>

= Preparing / overwriting the disk =

This can take long, on my side for a 500GB nVME it tooks ~30 minutes.
<pre># haveged -n 0 | dd of=/dev/nvme0n1</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create two partitions :

* one for UEFI
* one for LVM

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 1000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup luksOpen /dev/nvme0n1p2 lvmcrypt

= LVM : Physical & Logical Volumes creation=
<pre># pvcreate /dev/mapper/lvmcrypt
# vgcreate vg0 /dev/mapper/lvmcrypt
# lvcreate -L 20G vg0 -n swap (I have a 16GB RAM laptop)
# lvcreate -L 512M vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root
</pre>

To check the creation :
<pre># lvscan</pre>

= Mounting points and File System =

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/vg0/root</pre>

Activate SWAP:
<pre># mkswap /dev/vg0/swap
# swapon /dev/vg0/swap
</pre>

Mount / partition to /mnt :
<pre># mount -t ext4 /dev/vg0/root /mnt</pre>

Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>

Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>

Check partition scheme:
<pre># lsblk

</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup and lvm modules to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
</pre>

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens
<pre>
set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
# sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.
This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-04T13:18:05Z

Blt: Delete Sequence of Events, same as contents

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt [SWAP]
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
</pre>

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens
<pre>
set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.
This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-04T13:16:02Z

Blt: small add

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt [SWAP]
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
</pre>

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens
<pre>
set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Reboot & enter into your UEFI (Fx key depending of your laptop)

== Import keys to UEFI ==

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.
This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-04T13:11:27Z

Blt: Add Import keys to UEFI and check signature UEFI

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt [SWAP]
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
</pre>

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens
<pre>
set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

To check that your .efi is signed :
<pre> # sbverify --cert /etc/uefi-keys/db.crt /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
Signature verification OK
sbverify --list /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi.signed
signature 1
image signature issuers:
- /CN="Your Name" (db)
image signature certificates:
- subject: /CN="Your Name" (db)
issuer: /CN="Your Name" (db)
</pre>

Reboot

== Import keys to UEFI ==

Copy db.auth, KEK.auth and PK.auth files from /etc/uefi-keys to a FAT formatted file system.
This is just an example from an XPS laptop, each UEFI is unique.

# Go to '''Boot Configuration''' > '''Secure Boot'''
# Change '''Enable Secure Boot''' to '''ON'''
# Change '''Secure Boot Mode''' to '''Deployed Mode'''
# Change '''Enable Custom Mode''' to '''ON'''
# Go to '''Custom Mode Key Management'''
#* '''Reset All Keys'''
#* '''Select Key Database''' select '''db''' > Replace from file > select your Flash Drive > select '''db.auth'''
#* '''Select Key Database''' select '''KEK''' > Replace from file > select your Flash Drive > select '''KEK.auth'''
#* '''Select Key Database''' select '''PK''' > Replace from file > select your Flash Drive > select '''PK.auth'''
# '''APPLY CHANGES''' > '''EXIT'''

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-04T11:16:23Z

Blt: adding missing package, removing unnecessary command

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt [SWAP]
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
</pre>

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens
<pre>
set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr sbsigntool
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
</pre>

Re-install Grub:
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

Reboot

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-04T11:03:39Z

Blt: small formating improvment

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt [SWAP]
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
</pre>

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens
<pre>
set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr
# efi-mkkeys -s "Your Name" -o /etc/uefi-keys
# echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf
</pre>

Re-install Grub:
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

Reboot

Check Secure Boot State:
<pre># apk add mokutil
# mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-04T10:59:53Z

Blt: Remove unnecessary option for grub-mkimage

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt [SWAP]
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
</pre>

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens
<pre>
set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr
efi-mkkeys -s "Your Name" -o /etc/uefi-keys
echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf
</pre>

Re-install Grub:
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

Reboot

Check Secure Boot State:
<pre>#apk add mokutil
mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-08-03T14:46:20Z

Blt: Adding SecureBoot

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt [SWAP]
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
</pre>

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens
<pre>
set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

= Configuring Secure Boot =
<pre># apk add efi-mkkeys efibootmgr
efi-mkkeys -s "Your Name" -o /etc/uefi-keys
echo 'disable_trigger=yes' >> /etc/mkinitfs/mkinitfs.conf
</pre>

Re-install Grub:
<pre># grub-mkimage -m /etc/uefi-keys/PK.crt -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinuxSecureBoot/
# sed -i 's/SecureBoot/SecureB00t/' /boot/efi/EFI/AlpineLinuxSecureBoot/grubx64.efi
# cd /boot/efi/EFI/AlpineLinuxSecureBoot/
# sbsign --key /etc/uefi-keys/db.key --cert /etc/uefi-keys/db.crt --output grubx64.efi.signed grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label 'Alpine Linux Secure Boot Signed' --load /EFI/AlpineLinuxSecureBoot/grubx64.efi.signed --verbose
</pre>

Reboot

Check Secure Boot State:
<pre>#apk add mokutil
mokutil --sb-state
SecureBoot enabled
</pre>

Congrats!

Full disk encryption secure boot

2022-07-28T09:36:20Z

Blt: adding Grub LUKS2 tweak

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt [SWAP]
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3) and adding a new GRUB_PRELOAD_MODULES line like this:
<pre>GRUB_CMDLINE_LINUX="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
</pre>

Create a /root/grub-pre.cfg and replace <UUID_WITHOUT_HYPHENS> with your encrypted root partition UUID (here /dev/nvme0n1p3) without hyphens
<pre>
set crypto_uuid=<UUID_WITHOUT_HYPHENS>
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

Re-install Grub:
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /boot/efi/EFI/AlpineLinux/
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

= Configuring Secure Boot =

Full disk encryption secure boot

2022-07-28T09:12:34Z

Blt: adding cryptkey to mkinitfs

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt [SWAP]
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup cryptkey"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3):
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=UUID=<UUID> cryptdm=nvme0n1p3-crypt cryptkey modules=sd-mod,usb-storage,ext4,nvme quiet rootfstype=ext4"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt ext4"
GRUB_ENABLE_CRYPTODISK=y
GRUB_DISABLE_OS_PROBER=y
</pre>

Re-install Grub:
<pre># grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=AlpineLinux --modules="luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512"
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

= Configuring Secure Boot =

LVM on LUKS

2022-07-28T08:52:02Z

Blt: /* Luks2 */ add a note to remove hyphens from UUID

= Introduction =

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.

Note that your {{path|/boot/}} partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support that.

== Storage Device Name ==

To find your storage device's name, you could either install {{pkg|util-linux}} (<code>apk add util-linux</code>) and find your device using the <code>lsblk</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.

The following documentation uses the {{path|/dev/sda}} device as installation destination. If your environment uses a different name for your storage device, use the corresponding device name in the examples.

= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =

To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

== Preparing the Temporary Installation Environment ==

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.

Run the scripts in this order:

<pre># setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start</pre>

If you are configuring static networking (i.e. you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.

If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.

<pre># passwd
# setup-timezone
# rc-update add networking boot
# rc-update add urandom boot
# rc-update add acpid default
# rc-service acpid start</pre>

Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}

<pre># setup-ntp
# setup-apkrepos
# apk update
# setup-sshd</pre>

Here's where we deviate from the install script.

Install the following packages required to set up LVM and LUKS:

{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}

<pre># apk add lvm2 cryptsetup e2fsprogs parted mkinitfs</pre>

Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:

<pre># apk add haveged
# rc-service haveged start</pre>

== Creating the Partition Layout ==

Depending on your motherboard, bios features and configuration
we can either use partition table in MBR (legacy BIOS)
or GUID Partition Table (GPT).
We'll describe both with example layouts.

=== BIOS/MBR with DOS disklabel ===

We'll be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. <br>
Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is possible only with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

=== UEFI with GPT disklabel ===

We will be encrypting the whole disk except for the EFI system partition mounted at <code>/boot/efi</code>. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

== Optional: Overwrite LUKS Partition with Random Data ==

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

We'll use {{pkg|haveged}} as it is considerably faster than {{path|/dev/urandom}} when generating pseudo-random numbers (it's almost as high in throughput as {{path|/dev/zero}}), and is (supposedly) very close to truly random.

<pre># haveged -n 0 | dd of=/dev/sda2</pre>

== Encrypting the LVM Physical Volume Partition ==

To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers:

Default settings:

<pre># cryptsetup luksFormat /dev/sda2</pre>

Luks1 Optimized for security:

<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat --type luks1 /dev/sda2</pre>

Luks2 Optimized for security:

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/sda2</pre>

=== Converting between LUKS2 and LUKS1 ===

It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong:

<pre># cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup</pre>

Then make sure all keys use <code>pbkdf2</code> by adding a new key with:

<pre># cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2</pre>

Remove keys that use <code>argon2i</code> or <code>argon2id</code> with <code>cryptsetup luksRemoveKey /dev/sda2</code>. You can check the key information using <code>cryptsetup luksDump /dev/sda2</code>.

Now you can try the conversion, although it may not work.

<pre># cryptsetup convert /dev/sda2 --type luks1</pre>

== Creating the Logical Volumes and File Systems ==

Open the LUKS partition:

<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>

Create the PV on <code>lvmcrypt</code>:

<pre># pvcreate /dev/mapper/lvmcrypt</pre>

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:

<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>

=== LV Creation for BIOS/MBR ===

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

=== LV Creation for UEFI/GPT ===

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

== Creating and Mounting the File Systems ==

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:

<pre># mkfs.ext4 /dev/vg0/root</pre>

Format the swap LV:

<pre># mkswap /dev/vg0/swap</pre>

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:

<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>

Next format your boot partition, create a mount point, then mount it:

* If you're using BIOS and MBR:

<pre># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</pre>

* If you're using UEFI and GPT:

<pre># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>

Lastly, activate your swap partition:

<pre># swapon /dev/vg0/swap</pre>

== Installing Alpine Linux ==

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:

<pre># setup-disk -m sys /mnt/</pre>

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. so we need to add the following line to the {{Path|/mnt/etc/fstab}} file:

<pre>/dev/vg0/swap swap swap defaults 0 0</pre>

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:

<pre>features="... cryptsetup"</pre>

If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>, <code>nvme</code>...}}

Rebuild the initial RAM disk:

<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

== Installing a bootloader ==

To get the UUID of your storage device into a file for later use, run this command:

<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

=== Syslinux with BIOS ===

Install the Syslinux package:

<pre># apk add syslinux</pre>

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:

<pre>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.

We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:
<pre>
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>
</pre>

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:

<pre># chroot /mnt/
# update-extlinux
# exit</pre>

: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.

Write the MBR (without partition table) to the <code>/dev/sda</code> device:

<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>

=== Grub with UEFI ===

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
</pre>

This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.

Mount the required filesystems for the Grub EFI installer to the installation:

<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</pre>

Then run chroot:

<pre># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</pre>

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:

<pre># apk add grub grub-efi efibootmgr
# apk del syslinux</pre>

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we configured a few lines above.
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using Alpine v3.11 or later, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

==== Luks1 ====

<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

==== Luks2 ====
{{Note|The method is still experimental and you may lose your access to you OS at the next OS update}}

Create a pre-config grub file: <code>/root/grub-pre.cfg</code>

<pre>
set crypto_uuid=00001
cryptomount -u $crypto_uuid
set root='lvmid/00002/00003'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

You can find:
* 00001 with <code>blkid</code> and find the uuid of your encrypted disk, i.e <code>/dev/nvme0n1p2</code> remove hyphens from the UUID
* 00002 with <code>vgdisplay</code> & VG UUID
* 00003 with <code>lvdisplay</code> & LV UUID of the root partition /

<pre># (chroot) grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# (chroot) install -v /tmp/grubx64.efi /boot/efi/EFI/grub/
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

== Unmounting the Volumes and Partitions ==

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.

Setup the LUKS partition and activate the LVs:

<pre># cryptsetup luksOpen /dev/sda2
# vgchange -ay</pre>

[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

== System can't find boot device ==

* GPT partition table on a motherboard that runs BIOS instead of UEFI
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings

== I see "can not mount /sysroot" during boot ==

* incorrect device UUID
* missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code>

== normal.mod not found ==

* re-install <code>grub-install --target=x86_64-efi</code>

== Secure boot ==

If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

= Hardening =

* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf]{{dead link}} and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

= Mounting additional encrypted filesystems at boot =

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required.
{{Note|This does not apply for volumes
within your main encrypted partition <code>/dev/sda2</code>}}
For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

= See also =
*[[Bootloaders]]
*[[Alpine setup scripts]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://wiki.gentoo.org/wiki/Syslinux
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*https://wiki.gentoo.org/wiki/Dm-crypt

[[Category:Storage]]
[[Category:Security]]

Full disk encryption secure boot

2022-07-27T14:38:24Z

Blt: typos

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt [SWAP]
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt /mnt
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="...keymap cryptsetup"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p3):
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=UUID=XXXX cryptdm=nvme0n1p3-crypt cryptkey modules=sd-mod,usb-storage,ext4,nvme quiet rootfstype=ext4"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt ext4"
GRUB_ENABLE_CRYPTODISK=y
GRUB_DISABLE_OS_PROBER=y
</pre>

Re-install Grub:
<pre># grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=AlpineLinux --modules="luks2 part_gpt cryptodisk ext2 gcry_rijndael pbkdf2 gcry_sha512"
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

= Configuring Secure Boot =

Full disk encryption secure boot

2022-07-27T14:32:37Z

Blt: typos

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS

</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/
MOUNTPOINT=/mnt setup-alpine
</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="... ext4 keymap cryptsetup"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f

</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p2):
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=UUID=XXXX cryptdm=nvme0n1p2-crypt cryptkey modules=sd-mod,usb-storage,ext4,nvme quiet rootfstype=ext4"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt ext4"
GRUB_ENABLE_CRYPTODISK=y
GRUB_DISABLE_OS_PROBER=y
</pre>

Re-install Grub:
<pre># grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=AlpineLinux
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

= Configuring Secure Boot =

Full disk encryption secure boot

2022-07-27T14:25:05Z

Blt: typos

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS

</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/
MOUNTPOINT=/mnt setup-alpine
</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="... ext4 keymap cryptsetup"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f

</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p2):
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=UUID=XXXX cryptdm=nvme0n1p2-crypt cryptkey modules=sd-mod,usb-storage,ext4,nvme quiet rootfstype=ext4"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt ext4"
GRUB_ENABLE_CRYPTODISK=y
GRUB_DISABLE_OS_PROBER=y
</pre>

Re-install Grub:
<pre># grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=AlpineLinux
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

= Configuring Secure Boot =

Full disk encryption secure boot

2022-07-27T14:13:42Z

Blt: updating Grub

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p2-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p3-crypt
# swapon /dev/mapper/nvme0n1p3-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 105.2M 1 loop /.modloop
sda 8:0 1 7.6G 0 disk /media/sda
├─sda1 8:1 1 148M 0 part
└─sda2 8:2 1 1.4M 0 part
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt /mnt
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt [SWAP]
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/
MOUNTPOINT=/mnt setup-alpine
</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):
<pre>features="... ext4 keymap cryptsetup"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre># lsblk -f
nvme0n1
├─nvme0n1p1 vfat 62E0-E4C0 509.7M 0% /boot/efi
├─nvme0n1p2 crypto_LUKS 275836d9-05af-4e1a-bce5-335ef3bcd6e8
│ └─nvme0n1p2-crypt ext4 9bed7992-81cc-4126-8bbd-4e724dbb7bdd 13.9G 3% /
└─nvme0n1p3 crypto_LUKS 67eae09f-f533-4bfa-b874-e17016929138
└─nvme0n1p3-crypt swap fcb8594e-2409-4365-bf0b-0199c3acf1c6
</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p2):
<pre>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=UUID=275836d9-05af-4e1a-bce5-335ef3bcd6e8 cryptdm=nvme0n1p2-crypt cryptkey modules=sd-mod,usb-storage,ext4,nvme quiet rootfstype=ext4"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt ext4"
GRUB_ENABLE_CRYPTODISK=y
GRUB_DISABLE_OS_PROBER=y
</pre>

Re-install Grub:
<pre># grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=AlpineLinux
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

= Configuring Secure Boot =

Full disk encryption secure boot

2022-07-27T09:02:39Z

Blt: Update Grub UUID

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p2-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p3-crypt
# swapon /dev/mapper/nvme0n1p3-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 105.2M 1 loop /.modloop
sda 8:0 1 7.6G 0 disk /media/sda
├─sda1 8:1 1 148M 0 part
└─sda2 8:2 1 1.4M 0 part
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt /mnt
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt [SWAP]
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/
MOUNTPOINT=/mnt setup-alpine
</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter:
<pre> features="... cryptsetup"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre> # touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre> # mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre> # lsblk -f
nvme0n1
├─nvme0n1p1 vfat 62E0-E4C0 509.7M 0% /boot/efi
├─nvme0n1p2 crypto_LUKS 275836d9-05af-4e1a-bce5-335ef3bcd6e8
│ └─nvme0n1p2-crypt ext4 9bed7992-81cc-4126-8bbd-4e724dbb7bdd 13.9G 3% /
└─nvme0n1p3 crypto_LUKS 67eae09f-f533-4bfa-b874-e17016929138
└─nvme0n1p3-crypt swap fcb8594e-2409-4365-bf0b-0199c3acf1c6
</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p2):
<pre> GRUB_CMDLINE_LINUX="cryptroot=UUID=275836d9-05af-4e1a-bce5-335ef3bcd6e8=nvme0n1p2-crypt:allow-discards cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
GRUB_ENABLE_CRYPTODISK=y
</pre>

Re-install Grub:
<pre> # grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=AlpineLinux
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

= Configuring Secure Boot =

Full disk encryption secure boot

2022-07-27T07:58:07Z

Blt: Format

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p2-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p3-crypt
# swapon /dev/mapper/nvme0n1p3-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 105.2M 1 loop /.modloop
sda 8:0 1 7.6G 0 disk /media/sda
├─sda1 8:1 1 148M 0 part
└─sda2 8:2 1 1.4M 0 part
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt /mnt
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt [SWAP]
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/
MOUNTPOINT=/mnt setup-alpine
</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter:
<pre> features="... cryptsetup"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre> # touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre> # mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre> # lsblk -f
nvme0n1
├─nvme0n1p1 vfat 62E0-E4C0 509.7M 0% /boot/efi
├─nvme0n1p2 crypto_LUKS 275836d9-05af-4e1a-bce5-335ef3bcd6e8
│ └─nvme0n1p2-crypt ext4 9bed7992-81cc-4126-8bbd-4e724dbb7bdd 13.9G 3% /
└─nvme0n1p3 crypto_LUKS 67eae09f-f533-4bfa-b874-e17016929138
└─nvme0n1p3-crypt swap fcb8594e-2409-4365-bf0b-0199c3acf1c6
</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p2):
<pre> GRUB_CMDLINE_LINUX="cryptroot=/dev/nvme0n1p2:nvme0n1p2-crypt:allow-discards cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
GRUB_ENABLE_CRYPTODISK=y
</pre>

Re-install Grub:
<pre> # grub-install --target=x86_64-efi --efi-directory=/boot/efi
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

= Configuring Secure Boot =

Full disk encryption secure boot

2022-07-27T07:56:29Z

Blt: Adding mkinitfs and Grub

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* mkinitfs settings & modules
* Grub settings
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add lsblk gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add efibootmgr e2fsprogs grub grub-efi</pre>

= Partitioning the disk =

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

* one for UEFI
* one for /
* one for swap (hibernation)

<pre># gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3):
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}:
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

= Configuring LUKS =

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>

= Mounting points and File System =

Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>

Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>

Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>

Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>

Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p2-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p3-crypt
# swapon /dev/mapper/nvme0n1p3-crypt</pre>
Check partition scheme:
<pre># lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 105.2M 1 loop /.modloop
sda 8:0 1 7.6G 0 disk /media/sda
├─sda1 8:1 1 148M 0 part
└─sda2 8:2 1 1.4M 0 part
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 511M 0 part /mnt/boot/efi
├─nvme0n1p2 259:2 0 15.5G 0 part
│ └─nvme0n1p2-crypt 253:0 0 15.5G 0 crypt /mnt
└─nvme0n1p3 259:3 0 460.9G 0 part
└─nvme0n1p3-crypt 253:1 0 460.9G 0 crypt [SWAP]
</pre>

= Installing Alpine =

<pre># setup-disk -m sys /mnt/
MOUNTPOINT=/mnt setup-alpine
</pre>

= mkinitfs settings & modules =
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter:
<pre> features="... cryptsetup"</pre>
Regenerate the initram:
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

= Grub settings =

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):
<pre> # touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin
</pre>

Then, let's mount and chroot to our fresh installation:
<pre> # mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt
</pre>

Let's show the UUID of our partition scheme:
<pre> # lsblk -f
nvme0n1
├─nvme0n1p1 vfat 62E0-E4C0 509.7M 0% /boot/efi
├─nvme0n1p2 crypto_LUKS 275836d9-05af-4e1a-bce5-335ef3bcd6e8
│ └─nvme0n1p2-crypt ext4 9bed7992-81cc-4126-8bbd-4e724dbb7bdd 13.9G 3% /
└─nvme0n1p3 crypto_LUKS 67eae09f-f533-4bfa-b874-e17016929138
└─nvme0n1p3-crypt swap fcb8594e-2409-4365-bf0b-0199c3acf1c6
</pre>

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p2):
<pre> GRUB_CMDLINE_LINUX="cryptroot=/dev/nvme0n1p2:nvme0n1p2-crypt:allow-discards cryptkey"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
GRUB_ENABLE_CRYPTODISK=y
</pre>

Re-install Grub:
<pre> # grub-install --target=x86_64-efi --efi-directory=/boot/efi
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>

= Configuring Secure Boot =

Full disk encryption secure boot

2022-07-27T07:23:29Z

Blt: Adding SWAP

Full disk encryption secure boot

2022-07-26T21:33:35Z

Blt: Adding LUKS, Mounting points and File System and Installing Alpine

Full disk encryption secure boot

2022-07-26T20:59:21Z

Blt: Packages & Partitions

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition on a nvme drive, with UEFI & Secure Boot.

= Sequence of Events =

* Installing packages
* Partitioning the disk
* Configuring LUKS
* Installing Alpine
* Configuring Secure Boot

= Installing packages =

To facilitate the partitioning we will use gdisk :
<pre># apk add gptfdisk</pre>

For encryption, we will use cryptsetup :
<pre># apk add cryptsetup</pre>

For using and managing UEFI, multiple packages are needed :
<pre># apk add e2fsprogs grub grub-efi</pre>

= Partitioning the disk =
Let's assume the disk is /dev/nvme0n1 and no partitions are present, we will create two partitions only : one for UEFI, one for /

<pre># gdisk /dev/nvme0n1
Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.
</pre>

Full disk encryption secure boot

2022-07-26T17:18:32Z

Blt: Page creation

{{Draft}}

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, with UEFI & Secure Boot.